New pfSense install, unbound regularly stops resolving internal hostnames.



  • As per title i've got a new pfSense install, it uses the dns resolver (default)

    my box name is fayers-pfsense domain is fayers-local.lan

    regularly (nothing noted in logs) unbound stops giving me any results to an nslookup fayers-pfsense on my devices.

    It will still happily resolve things like google though, just gives up on internal addresses, ideas?



  • I had to put my local domain & nets in the "Custom Options" box , at the bottom , else unbound would refuse resolving those.
    Note i use external (local linux) DNS'es , and have unbound forward queries to those.

    This went into my Custom Options

    
    server:
    private-domain: "mydomain.org"
    local-zone: "1.168.192.in-addr.arpa." transparent
    local-zone: "2.168.192.in-addr.arpa." transparent
    local-zone: "1.10.in-addr.arpa." transparent
    local-zone: "2.10.in-addr.arpa." transparent
    
    

    /Bingo



  • @bingo600:

    I had to put my local domain & nets in the "Custom Options" box , at the bottom , else unbound would refuse resolving those.
    Note i use external (local linux) DNS'es , and have unbound forward queries to those.

    This went into my Custom Options

    
    server:
    private-domain: "mydomain.org"
    local-zone: "1.168.192.in-addr.arpa." transparent
    local-zone: "2.168.192.in-addr.arpa." transparent
    local-zone: "1.10.in-addr.arpa." transparent
    local-zone: "2.10.in-addr.arpa." transparent
    
    

    /Bingo

    Interesting…

    but mine sometimes works, thats the thing...


  • Netgate

    I would look at all of the name servers configured on that client  and dig to them all and see what's not working right.



  • @bingo600:

    I had to put my local domain & nets in the "Custom Options" box , at the bottom , else unbound would refuse resolving those.
    Note i use external (local linux) DNS'es , and have unbound forward queries to those.

    This went into my Custom Options

    
    server:
    private-domain: "mydomain.org"
    local-zone: "1.168.192.in-addr.arpa." transparent
    local-zone: "2.168.192.in-addr.arpa." transparent
    local-zone: "1.10.in-addr.arpa." transparent
    local-zone: "2.10.in-addr.arpa." transparent
    
    

    /Bingo

    After adding this and changing for my network it worked for a while then stopped working again.


  • Netgate

    "stopped working" is not going to be enough to help you.

    What name servers are configured on the client that "stops working?"

    What happens when you specifically query those name servers for names that "stopped working."

    Is anything interesting logged in the DNS Resolver logs?



  • @Derelict:

    "stopped working" is not going to be enough to help you.

    What name servers are configured on the client that "stops working?"

    What happens when you specifically query those name servers for names that "stopped working."

    Is anything interesting logged in the DNS Resolver logs?

    Nothing in the DNS Resolver logs.

    If i dig @192.168.0.1 still have the issue

    when it "stops working" on the client the only dns it has set is 192.168.0.1

    I will get this in nslookup:

    Server:  fayers-pfSense.fayers-local.lan
    Address:  192.168.0.1
    
    *** fayers-pfSense.fayers-local.lan can't find fayers-pfSense.fayers-local.lan: Non-existent domain
    

    OR

    
    Server:  UnKnown
    Address:  192.168.0.1
    
    *** UnKnown can't find fayers-pfsense.fayers-local.lan: Non-existent domain
    
    

  • Netgate

    dig output would be better than crappy nslookup.

    So it is returning NXDOMAIN.

    You will probably want to post your entire unbound config: /var/unbound/unbound.conf

    You can try running these when problems do and do not occur to see if they help shed any light:

    unbound-control -c /var/unbound/unbound.conf list_local_data
    unbound-control -c /var/unbound/unbound.conf list_local_zones



  • @Derelict:

    dig output would be better than crappy nslookup.

    So it is returning NXDOMAIN.

    Windows doesn't have dig

    @Derelict:

    You will probably want to post your entire unbound config: /var/unbound/unbound.conf

    You can try running these when problems do and do not occur to see if they help shed any light:

    unbound-control -c /var/unbound/unbound.conf list_local_data
    unbound-control -c /var/unbound/unbound.conf list_local_zones

    My config is attached to this

    When it's not working on client it still works if i dig or nslookup from the router itself.

    unbound.conf.txt


  • Netgate

    @benfayers:

    @Derelict:

    dig output would be better than crappy nslookup.

    So it is returning NXDOMAIN.

    Windows doesn't have dig

    So debug from something with real tools available.

    @Derelict:

    You will probably want to post your entire unbound config: /var/unbound/unbound.conf

    You can try running these when problems do and do not occur to see if they help shed any light:

    unbound-control -c /var/unbound/unbound.conf list_local_data
    unbound-control -c /var/unbound/unbound.conf list_local_zones

    My config is attached to this

    When it's not working on client it still works if i dig or nslookup from the router itself.

    You should not need any custom options to do what you are doing.

    Delete all of those and just use host overrides and see if things improve.

    The only time you need to do special local-zones like that is when you have global name servers that return private RFC1918 answers that trip the DNS Rebinding protections.

    I wonder if your host is looking up IPv6/AAAA or something that isn't present so you get NODATA or NXDOMAIN for that since you have the zone set to static.



  • @Derelict:

    I wonder if your host is looking up IPv6/AAAA or something that isn't present so you get NODATA or NXDOMAIN for that since you have the zone set to static.

    This definitely seems plausible, how would I check this?